High-entropy random selection protocols
description
Transcript of High-entropy random selection protocols
High-entropy High-entropy random selection random selection
protocolsprotocolsMichalMichal Koucký Koucký
(Institute of Mathematics, Prague)(Institute of Mathematics, Prague)
Harry Buhrman, Matthias Christandl, Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir, Zvi Lotker, Boaz Patt-Shamir,
KoliaVereshchaginKoliaVereshchagin
2
Random string selection:Random string selection:
Alice Alice BobBob
Goal: Goal: Alice and Bob want to agree on a Alice and Bob want to agree on a random random string string rr..
3
Goal: Goal: Alice and Bob want to agree on a Alice and Bob want to agree on a random random string string rr..
→→ Measure of randomness:Measure of randomness: Shannon entropy Shannon entropy
H( H( RR ) = - ) = - rr Pr[ Pr[RR = = rr ] ∙ log Pr[ ] ∙ log Pr[ RR = = rr ] ]
e.g.e.g. RR uniform on {0,1} uniform on {0,1}nn →→ H( H( RR ) = ) = nn
RR uniform on 0 uniform on 0nn/2/2{0,1}{0,1}nn/2/2 →→ H( H( RR ) = ) = n n /2/2
RR uniform on 0 uniform on 0nn →→ H( H( RR ) = 0) = 0
4
Example:Example:
random random rr11rr22 … … rrnn/2/2
Alice Alice
random random rrnn/2+1/2+1 … … rrnn
BobBob
→→ output output rr = = rr11rr22 … … rrnn
H( H( R R ) = ) = nn if Alice and Bob follow the if Alice and Bob follow the protocol.protocol.
H( H( R R ) ) nn/2/2 if one of them if one of them cheatscheats..
5
Main results:Main results: Random selection protocol that Random selection protocol that
guaranteesguarantees H( H( RR ) ) nn – O(1)– O(1) even if even if one of the parties cheats. This protocol one of the parties cheats. This protocol runs in log* runs in log* n n rounds and communicates rounds and communicates O( O( n n 2 2 ).).
Three-round protocol that guarantees Three-round protocol that guarantees H( H( R R ) ) ¾ ¾ n n and communicates O( and communicates O( n n ) ) bits.bits.
6
Previous work:Previous work: Different variantsDifferent variants
random selection protocol [GGL’95, SV’05, random selection protocol [GGL’95, SV’05, GVZ’06]GVZ’06]
collective coin flipping [B’82, Y’86, B-OL’89, collective coin flipping [B’82, Y’86, B-OL’89, AN’90, …]AN’90, …]
leader selection [AN’90,…]leader selection [AN’90,…] fault-tolerantfault-tolerant computation [GGL’95] computation [GGL’95] multiple-party protocols [AN’90,…]multiple-party protocols [AN’90,…] quantum protocols [ABDR’04]quantum protocols [ABDR’04]
different measuresdifferent measures resilienceresilience statistical distance from uniform distributionstatistical distance from uniform distribution entropyentropy
7
H( H( RR ) ) nn – O(1) – O(1) ((, log, log-1-1 1/ 1/)-resilience.)-resilience.O( log* O( log* nn )-rounds, O( )-rounds, O( n n 2 2 )-communication.)-communication.
[GGL] [GGL] ((, , )-resilience, )-resilience, O( O( n n 2 2 )-rounds, O( )-rounds, O( n n 2 2 )-communication.)-communication.
[SV] [SV] ((, , ++)-resilience, )-resilience, O( log* O( log* nn )-rounds, O( )-rounds, O( n n 2 2 )-communication.)-communication.
[GVZ] [GVZ] ((, , )-resilience)-resilienceO( log* O( log* nn )-rounds, O( )-rounds, O( n n )-communication.)-communication.
BB
{0,1{0,1}}nn
((,,)-resilience:)-resilience:
BB; |; |BB|| 22nn
Pr[Pr[rr BB] ]
8
Our basic protocol:Our basic protocol:
random random xx11, …, , …, xxnn {0,1{0,1}}nn
Alice Alice random random yy {0,1 {0,1}}nn
BobBobrandom random ii {1, …, {1, …, nn}}
→→ output output xxi i yy
H( H( R R ) = ) = nn if Alice and Bob follow the if Alice and Bob follow the protocol.protocol.
H( H( RR ) ) n n – log – log n n if Alice cheats.if Alice cheats.
H( H( RR ) ) n n – O(1)– O(1) if Bob cheats.if Bob cheats.
9
Alice cheats, Bob plays honestly:Alice cheats, Bob plays honestly:
Alice carefully selects Alice carefully selects xx11, …, , …, xxnn
Bob picks a random Bob picks a random yy
for all for all ii and and rr, Pr, Pry y [ [ rr = = xxii y y ] = 2 ] = 2 --nn..
for all for all rr, Pr, Pry y [ [ i i ; ; rr = = xxii y y ] ] nn 2 2 --nn..
H( H( R R ) ) nn – log – log nn . .
10
Alice plays honestly, Bob cheats:Alice plays honestly, Bob cheats:
For any For any rr11, , rr2 2 , … , … rrn n , Pr, Prx x [ [ rr11 = = xx11 , … , … rrnn = = xxn n ] = 2 ] = 2 – – nn22
Pr[ Pr[ rr11 = = xx11 y y , … , … rrnn = = xxnn y y ] ] 2 2 n n – – nn22
where where yy is a function of the random is a function of the random xx11, , xx2 2 , , … … xxn n
H( H( xx11 y y , …, , …, xxnn y y ) ) nn 2 2 - - nn
E[[ H( E[[ H( xxii y y ) ]] ) ]] nn – 1 .– 1 .
H( H( RR ) ) n n – O(1)– O(1)
11
Our basic protocol:Our basic protocol:
random random xx11, …, , …, xxnn {0,1{0,1}}nn
Alice Alice random random yy {0,1 {0,1}}nn
BobBobrandom random ii {1, …, {1, …, nn}}
→→ output output xxi i yy
H( H( R R ) = ) = nn if Alice and Bob follow the if Alice and Bob follow the protocol.protocol.
H( H( RR ) ) n n – log – log n n if Alice cheats.if Alice cheats.
H( H( RR ) ) n n – O(1)– O(1) if Bob cheats.if Bob cheats.
12
Iterating our protocolIterating our protocol
xx11, …, , …, xxmm yy11, …, , …, yym’m’ AA B B
ii jjAA BB r’’ r’’ = … = …
r r = = xxii r’ r’ r’ r’ = = yyii r’’r’’
→→ log* log* nn iterationsiterations H( H( R R ) ) nn – 3 – 3 regardless of who regardless of who cheats.cheats.
13
Protocol PProtocol Pii (A, B)(A, B)
xx11, …, , …, xxllii
AA PPii-1-1(B,A)(B,A) jj yy AA
r r = = xxjj y y
ll00 = = nn llii = log = log llii-1-1 kk = log* = log* n n – l– l
llkk = 2 = 2
14
Claim:Claim: For For i i =0,…, =0,…, kk, output , output RRii of P of Pi i (Alice,Bob) (Alice,Bob) satisfiessatisfies
H( H( RRii ) = ) = nn if Alice and Bob follow the if Alice and Bob follow the protocol.protocol.
H( H( RRii ) ) n n – log 4 – log 4 llii if Alice cheats.if Alice cheats.
H( H( RRii ) ) n n – 2– 2 if Bob cheats. if Bob cheats.
Pf:Pf: Alice carefully selects Alice carefully selects xx11, …, , …, xxllii . .
PPii-1-1(Bob, Alice) gives (Bob, Alice) gives yy = = RRii-1-1
with H( with H( yy| | xx11, …, , …, xxlli i ) ) n n – 2– 2..
Alice carefully selects Alice carefully selects j j to output to output RRi i = = xxjj y y
15
Pf:Pf: Alice carefully selects Alice carefully selects xx11, …, , …, xxllii . .
PPii-1-1(Bob, Alice) gives (Bob, Alice) gives yy = = RRii-1-1
with H( with H( yy| | xx11, …, , …, xxlli i ) ) n n – 2– 2..
Alice carefully selects Alice carefully selects j j to output to output RRi i = = xxjj y y
H( H( xxjj y y )) H( H( xxjj y y | | xx11, …, , …, xxlli i ) )
H( H( y y | | xx11, …, , …, xxlli i ) - H( ) - H( j j | | xx11, …, , …, xxlli i
) )
H( H( y y | | xx11, …, , …, xxlli i ) - H( ) - H( j j ))
n n – 2 – log – 2 – log llii
H( H( xxjj y y , , j j| | xx11, …, , …, xxlli i ) ) H( H( y y | | xx11, …, , …, xxlli i
))
16
Cost of our protocol:Cost of our protocol:
2 log* 2 log* nn roundsrounds
O( O( n n 2 2 ) bits communicated) bits communicated
Question: Question: How to reduce the amount How to reduce the amount of communication close to linear?of communication close to linear?
17
Generic protocol:Generic protocol:
random random x x {0,1 {0,1}}nn
Alice Alice random random yy {0,1 {0,1}}nn
BobBobrandom random ii {1, …, {1, …, nn}}
→→ output output f f ( ( xx ,, yy ,, ii ))
for some for some ff : {0,1} : {0,1}nn {0,1} {0,1}nn {1, …, {1, …, nn}} → → {0,1}{0,1}nn
W.h.p for a random function W.h.p for a random function f f
H( H( RR ) ) n n – O( log – O( log n n ) ) regardless of regardless of cheating.cheating.
18
Explicit candidate functions:Explicit candidate functions:
x x ii yy rotation of rotation of x ix i-times.-times.
ix ix + + yy xx,, yy FFkk i i FFF F = GF(2= GF(2log log nn ) ) kk = = nn / /
log log nn
ix ix + + yy xx,, y y FF i i H H FFF F = GF(2= GF(2nn ) |) |HH|=|=nn
19
Rotations:Rotations:
Fix Fix ii and and jj. For any . For any xx and and yy
( ( x x ii yy ) ) ( ( x x jj y y ) = ) = x x i i x x j j = = x Ax Aijij
where where AAijij has rank has rank n n – 1. – 1.
xx random random n n – 1 – 1 H( H( x Ax Aijij ) ) H( H( x x ii yy , , x x jj y y
))
H( H( R R ) ) nn – log – log nn when Alice cheatswhen Alice cheats
H( H( R R ) ) nn /2/2 when Bob cheatswhen Bob cheats
20
¾¾n-n-protocol:protocol:
1.1. Pick one half of the string by A-B-A Pick one half of the string by A-B-A “rotating” protocol and the other one “rotating” protocol and the other one by B-A-B “rotating” protocol, i.e., use by B-A-B “rotating” protocol, i.e., use the asymmetry in the cheating powers.the asymmetry in the cheating powers.
2.2. The “line” protocol The “line” protocol ix ix + + yy , where , where
xx,, yy [GF(2 [GF(2 nn/4/4 )] )]kk and and kk = 4 = 4
→→ analysis related to the problem of analysis related to the problem of KakeyaKakeya..
21
Kakeya Problem:Kakeya Problem:
PP
FFkk
Q: Q: PP contains a line in each direction. How large contains a line in each direction. How large is is PP ? ?
22
LL … collection of lines; in each direction … collection of lines; in each direction one line.one line.
Conjecture: Conjecture: ||PPL L | must be close to || must be close to |F F ||k k where where PPL L is the union of points in is the union of points in LL..
(|(|F F |>2.)|>2.)
XXLL … random variable – choose a line from … random variable – choose a line from L L at random and pick a random point on it.at random and pick a random point on it.
Def:Def: H(| H(|F F |, |, kk ) = min) = minL L H( H( XXLL ) )
H( H( XXLL ) ) log | log |PPL L ||
23
Geometric protocol:Geometric protocol: ix ix + + yy xx,, yy F F kk i i FF
→→ line given byline given by direction direction x x and point and point yy
Claim:Claim: Let Let RR be the outcome of the be the outcome of the geometric protocol. If Alice is honest then geometric protocol. If Alice is honest then
H( H( R R ) ) H(| H(|FF |, |, kk ). ).Furthermore, Bob can impose H( Furthermore, Bob can impose H( R R ) = ) = H(|H(|FF |, |, kk ). ).
→→ proof of security of our protocol implies proof of security of our protocol implies the conjecture for Kakeya problem.the conjecture for Kakeya problem.
24
Geometric protocol:Geometric protocol: ix ix + + yy xx,, yy F F kk i i FF
→→ line given byline given by direction direction x x and point and point yy
Claim:Claim: Let Let RR be the outcome of the be the outcome of the geometric protocol. If Alice is honest then geometric protocol. If Alice is honest then
H( H( R R ) ) ( (kk /2 + 1)| /2 + 1)|FF | – O(1).| – O(1).
→→ For For kk = 4 and | = 4 and |FF |= 2|= 2nn/4 /4 we get H( we get H( R R ) ) 33nn/4./4.
25
Open problems:Open problems:
Better analysis of our candidate Better analysis of our candidate functions.functions.
Other candidate functions?Other candidate functions? Multiple parties.Multiple parties.